Please note: all guidance and information contained in this post was correct at the time of publishing, but may now be out of date.

How to be a more digitally secure charity in the post COVID era

Oct 30, 2020 | Cyber Security

Charities have played an essential part in supporting people and activities during the Covid pandemic.  But, if a charity was to suffer a cyber attack during lockdown, it would be more catastrophic than usual.  Not only would the charity not be able to access its data and not be able to deliver its services, but there would also be limited access to support and recovery teams.

This situation is exacerbated by the opportunistic nature of cyber criminals seeking to exploit the global pandemic in attacks that use the ‘hook’ of COVID 19 to commit fraud and the fact that most charities have had to ask their volunteers to work from home and put their resources and services almost entirely online.

Is it any wonder that in a  recent  ‘Charity Digital’ podcast, Cub Llewelyn Davies, the charity sector lead at the National Cyber Security Centre (NCSC) has admitted some serious concerns about the charity sector during lockdown, particularly those delivering front line services?
Yet, despite the change in circumstances, reports suggest that there have not been any big increases in cyber attacks this year in the voluntary sector. Despite new opportunities for cyber criminals, neither has there been a spike in phishing attacks. Surely this demonstrates how well small charities are doing with their cyber security basics.

Most charities realise by now that they are not usually targets of cyber crime, but they could still be victims of the numerous indiscriminate attacks that can affect any online organisation. Anyone can be a victim of the most common and wide reaching attacks such as phishing and ransomware.

In April this year, the NCSC launched their suspicious email reporting service. Any dodgy looking email can be forwarded to: [email protected] and the automated service will analyse the email for links and attachments. If there is anything malicious about the message, the NCSC are able to take action, whether it be to take down the malicious website or to stop further emails going out to members of the public. Over 800,000 messages have been dealt with already often leading to the dismantling of threats that were previously unknown.

As we look ahead, to anticipate coming out of lockdown, many organisations are considering how they are going to adapt to the ‘new normal’. Charities are looking to build on the digital momentum created by the pandemic and to review their technology and cyber security for the future of their remote operations. One piece of guidance that has become particularly salient right now is the NCSC’s guide to ‘Moving business from physical to digital’

It is important to consider some key questions to identify current risks and areas for improvement.

  • Have you set up security procedures for home working staff ?
  • Are you accessing your organisation’s network and data in a secure way?
    • Could you use a Virtual Private Network to remotely access your organisations network and data? This would guarantee the security of data while it is in transit.
  • Do you have sufficient storage capacity now you are not in the office?
  • Are you regularly backing up all your essential data? (This is the best way to limit the effects of a ransomware attack)
  • Could this be the right time to move some parts of your business to the cloud?
    • It is predicted that post pandemic, the cloud will be a much more integral part of how organisations operate, as it easily enables remote working, secure access to data, managed storage and back ups. The NCSC recommend that charities consider outsourcing to the cloud as the eminently scalable nature of cloud services allow for all the natural fluctuations that are part and parcel of the voluntary sector. There are some great discount packages available through the Charity Digital exchange
  • What access to IT support do your staff and your volunteers have if they are no longer in the office?
    • It is recommended that you take time to identify all the software and services that you use, draw up a plan for your staff of where and how to get support if anything goes wrong and an escalation process in case anything goes badly wrong. Planning and policy making will help you be better prepared and hence more resilient.
  • Do you have or could you introduce an IT consultant or cyber security professional on your board of trustees?
    • This would ensure that your organisation is receiving some knowledgeable advice and having the right conversations.

If you are a small charity: the NCSC’s Small Charity Guide can help you nail the basics. Cyber Essentials is a great way to check that you have implemented the five key controls that prevent most cyber attacks. Many charities report that the process of certifying acts like a check list and gives them huge peace of mind.

If you are a larger charity, the NCSC’s 10 Steps to Cyber Security will help you to identify what to do within a more complex infrastructure. IASME Governance is a standard that goes into more depth, to include risk assessment, backing up data, policy and procedures, staff training and alignment with data protection regulations.

With digital services online and remote working the norm, this could be the year to go that step further and show your customers and sources of funding that you have prioritised cyber security and have the certification to show for it. With this in mind, The IASME Consortium in conjunction with some of our Certification Bodies, are offering both the Government-backed Cyber Essentials and the IASME Governance certifications at a discounted price.  Find out more today and receive a discounted certification for your charity as part of the #cybersecurecharities initiative.